Cannot re-enable SElinux in Fedora 29

I’m trying to re-enable SElinux in Fedora 29, but for some reason it doesn’t work.
I’ve tried both permanent (/etc/selinux/config) and not permanent (setenforce) setup.

Interestingy, the setenforce command doesn’t work:

# setenforce 0
setenforce: SELinux is disabled

# setenforce 1
setenforce: SELinux is disabled

In a virtual machine I’ve tried also the permanent configuration: I’ve edited /etc/selinux/config and changed to SELINUX=permissive, but after restarting the command sestatus keeps saying that SElinux is disabled.

I hope you can help me. It could be a good chance to update the Fedora quick doc page about selinux.

Thanks in advance

SELinux is enabled by default on Fedora, normally.

Can you show the output of SELinux config:

cat /etc/selinux/config

If you’re setting it on the kernel command line, you may well have issues
setting it to something else later on. When you say “Fedora”, as that no
longer refers to one distribution, what do you mean? Fedora Proper (non-
Silverblue and other weird stuff), or one of the random projects under the
Fedora umbrella?

It’s the normal Fedora.
I vaguely mentioned two installations, my regular desktop and a virtual machine. Both run Fedora 29. I installed the desktop some years ago; probably SElinux was enabled but then I disabled it to make my life easier.
However, my main test is on a Fedora virtual machine I’ve built myself using mkosi. Here SElinux is not enabled by default. From now on I’ll use this machine to discuss this issue.

My current config file (note: default was disabled):

# cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Perhaps this is more interesting:

# grep -i selinux /boot/config-4.20.15-200.fc29.x86_64                                                                                                                     
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_DEFAULT_SECURITY_SELINUX=y
CONFIG_DEFAULT_SECURITY="selinux"

CONFIG_SECURITY_SELINUX_DISABLE=y should mean that it’s not enabled by default, right?

SELINUX=enforcing Would mean it is enabled though wouldn’t it? I think CONFIG_SECURITY_SELINUX_DISABLE=y could mean that it is allowed to be disabled?
Perhaps it is disabled in the bootloader in /etc/grub.conf in the kernel arguments.
What does sestatus -v show?

You are right. I was mislead by a blog post…

sestatus -v doesn’t print any verbose information. It returns the same output as sestatus.

I have grub2. I believe this is the file to be checked, but cannot find any selinux occurence.
grep -i selinux /boot/grub2/grub.cfg returns nothing.

What about cat on the grub.cfg file, it isn’t that large usually?
From the Selinux Fedora doc’s “Disabled mode is strongly discouraged; not only does the system avoid enforcing the SELinux policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future.” Did you have Selinux disabled on your VM?
When I issue the sestatus -v command I get the process and file contexts as well as the same info as sestatus gives. You should see some differences I would think. Possibly entering touch /.autorelabel then reboot with selinux enabled and in permissive (setenforce=0) if you have been running in disabled as in off then there is a good chance the contexts are out of whack.

Sorry, I used the wrong terminal. /boot/grub2/grub.cfg is on my desktop machine, not in my virtual machine.
In the VM there’s no grub.cfg and I can’t find much:

# find / -name grub*.conf
/etc/prelink.conf.d/grub2.conf
[root@localhost ~]# cat /etc/prelink.conf.d/grub2.conf 
# these have execstack, and break under selinux
-b /usr/bin/grub2-script-check
-b /usr/bin/grub2-mkrelpath
-b /usr/bin/grub2-fstest
-b /usr/sbin/grub2-bios-setup
-b /usr/sbin/grub2-probe
-b /usr/sbin/grub2-sparc64-setup

Yes, as I wrote, it was disabled from the beginning. Perhaps because it’s a custom built Fedora? I’ll try an official Fedora ISO image. It could be a good chance to try Silverblue: does it come with SElinux enabled?

AFAIK all Fedora products come seliniux enabled OOTB

Hmm, what if you check in /boot/efi? You might not normally have read permissions there, but on a UEFI system it would be under /boot/efi/EFI/fedora/grub.cfg.

I think it’s in /boot/loader/grub.cfg in the VM, at least mine is.

find / -name grub.cfg does not return anything. As soon as I have time, I’ll check with an official Fedora ISO. I guess the subject of this discussion should be changed to “How to re-enable SElinux”, but I’ll proceed step by step.